Tuesday, April 15, 2014

Heartbleed Marketing - Call for Ambulance chasers

TL;DR

We are looking for companies who wrap their services around heartbleed hype, to expose them in one consolidated list.

What has happened?

In the last 7 days we have seen an explosion in Security firms that can assist with your Heartbleed woes.  Some are legitimate, some just want to generate more leads, some have nothing of value and are abusing the media's fever pitch around Heartbleed.

Project Goal

I am building a list of vendors that have abused Heartbleed for personal gain.  Here are three examples of who has made list so far:
  • Tripwire - offers "free" SecureScan
    • Existing customers must sign into "new" portal (marketing gathering data for upsales)
    • Non-customers cannot get a scan without providing personal data
    • http://www.tripwire.com/securescan/?home-banner
  • WhiteHat Security - offers 30 days WhiteHat Sentinel scanning service
    • You must enter in all personal data before getting your Heartbleed scan
    • https://info.whitehatsec.com/Social-SecurityCheck.html
  • DigiCert - offers "free" online scan
    • You must enter in all personal data before getting your Heartbleed scan
    • https://www.digicert.com/heartbleed-bug-vulnerability.htm
Here are examples of good ways to market your services, leveraging Heartbleed's attention in media:
  • Qualys - offers free online scan via SSL Labs
    • No marketing / sales wall
    • No requirement to fill out forms with company and personal data
    • https://www.ssllabs.com/ssltest/
  • GlobalSign - offers free online scan via SSLCheck service
    • No marketing / sales wall
    • No requirement to fill out forms with company and personal data
    • https://sslcheck.globalsign.com/en_US

We need your data!

So, have a vendor that has emailed or tweeted about Heartbleed, only to find they want ALL your data before the can give you a status on Heartbleed?  Got someone who is using the Heartbleed name, though, there service does not really have anything to do with Heartbleed attacks?  Send them in! @hackajar on twitter or gmail.com

NOTE:  I do get a lot of positive marketing emails from companies like Rapid7 and Imperva.  They say things like, "Hey existing customer, run these commands to get the value out of the product you already own!".  That, to me, is a positive use of Heartbleed in their marketing.

Wednesday, April 9, 2014

I HeartBleed NSA

Stickers Anyone?

Here is a high quality image to use for a shiny new laptop sticker!  Enjoy!




Wednesday, April 2, 2014

Why I am parting ways with Home Depot

Update: Here is text from CAN-SPAM FTC page for business, supporting my assertions in Online Chat log below.
  1. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business

TL;DR

It is not worth anyones time to do business with companies that fail to embrace technology in a meaningful way

In summary

In 2014, it is important that companies and website work with customers, not against them.  In the current Web 2.5 revolution, with noSql, redis, "responsive", bootstrap and all these tools designed to make websites drop in customer friendly experiences coupled with banks as a startup like Simple Bank, things should be better than this.  It bothers me when people use the dozens of excuses to explain away bad customer service.  People forget they can always "vote with your dollar", and given enough people who do this, change can and do happen.

It is because of the below experience with Home Depot - where they would rather explain to a seasoned web developer and security expert that he is the problem, not their site - that my principals have kicked in, and I had to cancel my account, solely on the basis that they no longer deserve my business.  I encourage everyone to do the same, that is, cancel business with a company that cannot or will not work towards providing good experiences with their customers, especially in a time in our existence when the tools are there to do so.

Email Marketing and You

Each time I login to my Home Depot account (I do a lot of home projects that dictate having a home improvement only line of credit) I am greeted with a screen asking if I want to be emailed about daily deals, sales and promotions.  Each time I click "No thank you" (I had given up on "Do not ask again" years ago).  Today, I accidentally clicked "Submit" button - which is a bright Orange Icon, in contrast to small, text only, link that says "no thank you" - causing me to suddenly be added to their approved marketing list.

Fixing a mistake

Simple task #1 before I pay my bill, go in and updated my "Communications Preferences".  Digging into site, I find the correct link.  But, upon clicking, nothing actually loads on screen.  Odd, so I try accessing link from different spots (they allow you to get there from drop down and buried in different preference sections of site).  Still all the "frames" of site load, but not actual preferences (header and footer load).  Time to contact them about this...

My Chat with Customer Support

Here is the exact chat transcript with customer support.  I will admit that at this point I am getting pretty pissed, so excuse some of the language:
Welcome
A Home Depot Credit Services Associate will help you in approximately 0 minutes 2 seconds.

For your protection, we'll never ask you for passwords, PINs, User IDs, security words or any part of your social security number during a chat. Other information may be required to help us verify your identity.
You are now chatting with Chad.
Chad: Hello, welcome to Home Depot live chat in Tennessee my name is Chad. What can I help you with today?
IMHOFF,ROBERT: how do I update contact preferences?
IMHOFF,ROBERT: I click link and page does not load
IMHOFF,ROBERT: I am really mad that you ask me every time to allow you to send crap to my email address
IMHOFF,ROBERT: and I always click "no thankyou"
IMHOFF,ROBERT: today I accidently clicked "submit"
IMHOFF,ROBERT: now, when I try to undo that action, the page to turn it off does not load
IMHOFF,ROBERT: (kind of a dick move on your part)
Chad: I'll be glad to help you with this today. Please go under the Account Profile tab at the top of the page and choose Edit Contact Information to make your updates.
Chad: Also. Just as a reminder, you can set up payment alerts online to email you about your upcoming payment that is due.
IMHOFF,ROBERT: I clicked "Edit contact infomraiton"
IMHOFF,ROBERT: then I click "view communications preference" and nothing loads
Chad: So non of the options under the tabs are pulling up to view or make changes?
IMHOFF,ROBERT: I see the "Email Address" section under "Contact Informaiton"
IMHOFF,ROBERT: in that section there is a link to "View Communications Preference"
IMHOFF,ROBERT: I click that link and only the "Need Help?" side bar loads
Chad: What are you trying to do?
IMHOFF,ROBERT: turn off email communications related to sales and marketing
Chad: That has to be done by a customer service rep. For verification, may I have your first and last name?
IMHOFF,ROBERT: what has to be done by a rep?
IMHOFF,ROBERT: turn off email communications related to marketing?
Chad: Yes.
IMHOFF,ROBERT: so you are ok with violating the CANSPAM act?
IMHOFF,ROBERT: which states a customer must be able to turn off emails electronically and NOT through a customer service rep?
Chad: Never heard of it. I apologize.
Chad: Please call tech support at 1­866­875­5488 and they maybe able to guide you on how you van make those changes
on your won.
Chad: own* IMHOFF,ROBERT: ok, thanks

Phone Support

Sorry, no phone records for this one.  But in summary:

  • Tried 5 browsers - Mac OS X Firefox, Chrome and Safari + Chrome Mobile + IE 11 on Windows 8.1
  • Was told that "One browser controls the preference for all browsers"
  • Was told that it must be my firewall causes one page on their site was not loading 

So long and thanks for the fish

I asked, "Can you cancel my account?"
"No, but I can transfer you"
"Sure lets do that"
CS: "Hi, how may I assist?"
"I would like to cancel my account"
[redacted customer information]
"Why would you like to cancel your account?"
"You employ too many stupid people, and 1998 called, it wants its website/support back"



Monday, January 27, 2014

What can a small Boycott at Chevy's Really Achieve Against RSA and NSA?

A visiting blog post by Jennifer Imhoff

As you have probably noticed we have been flooding social media with posts about a CrowdTilt to buyout Chevy's during RSA.  We are very close to our goal but with well over 400 "likes" and hundreds of "re-tweets" we are still in danger of not meeting our $7000 goal.  But unless you're familiar with the RSA conference and social patterns of attendees, this CrowdTilt might seem odd.


Just how exactly is buying out a Chevy's restaurant any sort of boycott against RSA, and why should we be boycotting RSA?


At the end of 2013, it was discovered that RSA - one of the most influential computer security firms- had very dramatically changed it's once adversary relation with the National Security Administration (those guys doing the wiretaps) to an almost conspirative one. For a mere $10 million (iPhone apps have cumulatively sold for more), RSA agreed to use an NSA designed formula in the encryption tools they sell knowing full well that the formula - designed to generate random numbers- was deliberately flawed in such a way that the NSA would be able to access any account using it.
(http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220)


This "back door" into our computers, our lives, our privacy is not only completely unwarranted but affecting both our corporate AND PERSONAL computers.


Our privacy was sold out for less than the cost of most luxury homes.


And if your saying to yourself "I've got nothing to hide, so why should I be concerned", then I urge you to read this very well written article by Kurt Opsal from the EFF on how something as simple as a phone log can be detrimental to many lives:  https://www.eff.org/deeplinks/2013/06/why-metadata-matters


And let us not forget too quickly how this is the same RSA that was hacked by even less trustworthy entity just three years ago. Don't think the NSA is the only one with a backdoor into their networks and tools.


So what does all this have to do with Chevy's?


The RSA conference is held yearly at the Moscone Center in San Francisco. The conference which host talks regarding data security as well as a large expo floor that has been a major influence in the business relations of security related companies from networking hardware to mobile security software. The conference hosts hundreds of people from across the nation. These networking opportunities often seek quieter venues offsite to talk more or complete a deal over lunch. However, with being located in the center of the "SOMA" district, dining options that are in walking distance are limited to very high end places with just one exception, Chevy's Grill.


Over the years, Chevy's has quickly become THE place to go for a simple lunch that anyone can order from and where the menu is cheap and the margarita's are strong.  Chevy's has become the unofficial “lobby con” of RSA, an assured place to find a friend amongst the hundreds of suits. And the quickest way to get the attention of all the various business that work with RSA.  We want to buy out the Chevy's so we can restrict the business that day to only those on our list. We want each company representative to walk to the front door because its the only place without a line - the place they have always gone - only to be inconvenienced by being denied access.  When they stop to ask why, our lab coat volunteers will have the opportunity to explain to them why. Making them aware of what RSA has done and how it affects everyone.  


So please, we urge you to support our cause.  If you're not going to RSA your $25 donation will still help.  If you can’t help financially then please re-tweet, re-post, and support us!



Jennifer Imhoff
Vegas 2.0

Monday, September 9, 2013

(ISC)2 Board of Directors Endorsements

Major Endorsements

Jack Daniels @jack_daniels - Information Security Researcher for over 20 years
Jericho @attritionorg - Maintainer of the Security Charlatan List for 10+ years
Boris Sverdik @jadedsecurity - Also running for (ISC)2 board, maintainer of dontclickshit.com

Plus over 200 CISSP and SSCP members of (ISC)2

Candidate of the Members

Shouldn't the (ISC)2 board of directors have a candidate on the ballot at the request of its members?  All 5 ballot names current on list are there at the request of the current board of directors, not because the over 80k members asked for them to be there.

Email Now!

Simply email hackajar@gmail.com with your name, member ID and a quick note endorsing Robert Imhoff for Board of Directors.  That's it!

Thursday, September 5, 2013

(ISC)2 Board is ready for change

Change Starts Today

The (ISC)2 Board of Directors has the power to make your CISSP certification count.  So why haven't they done anything about the creep into irrelevance of this important certification?

Send an email to hackajar@gmail.com with your CISSP number and name as it appears on your certificate and a note that you support Robert Imhoff for board of directors.

Make them put a candidate on the ballot that is ready to make the tough decisions. 

Robert Imhoff-Dousharm

Friday, August 23, 2013

Women in Information Security

TL;DR

Many changes and improvements have occurred in the last 10 years which has enabled the Information Security profession to be a more welcoming place for women.  It continues to make improvements every day to further this welcoming atmosphere.

Op-Ed: Women are succeeding in InfoSec

In the Information Security profession, diversity comes second only to having the requisite technical skill set.  It has to.  Diverse viewpoints enable security professionals to see a problem before a hacker does, and fix it before it can be exploited.  This need for diversity makes the current landscape of the Information Security Industry – also known as White Hats, Black Hats, Hackers, Security Researchers, among others – a hotbed of opportunity for career minded people of both genders.

Unfortunately, this diversity is not always evident in Information Security.  Security Conferences, where security professionals gather; are where the lack of diversity is often most visible. A majority of speakers and panelists are male. Globally, only 9% of speakers/panelists are female. At the same time, the majority of conference attendees are also male.

Where many argue that drastic changes are needed, I believe many of these desired changes are already underway. Thirteen years ago, the first conference I participated in was an almost exclusively male gathering. The women present were accompanying a male attendee. Today, the number of woman attending conferences is increasing year over year and they are active participants. The average age for attendees is increasing too.  I believe that the community that, not long ago, was known as an immature bunch of boys is growing into a more balanced and self-regulated community. Recent initiatives at these types of conferences include entire sections dedicated to working with kids, and throwing M80 dynamite in hotel pools isn't as common as it used to be. While many women testify that the community improves itself continuously, their attendance - often on their own budget - is a testament to the lessons we as a community have learned.
At the same time the number of women in security jobs is increasing.  I have witnessed this myself during my tenure at a Fortune 500 company in Silicon Valley.  While working on their internal security team, made up of 60 people across the globe, 40% of the staff was female (well above industry averages).  This was especially noticeable in the Audit & Compliance division, where women actually outnumbered men.  In fact, the present Chief Information Security Officer at that company is female, as was her predecessor.  Investing in diversity grew dividends for the business.  My personal growth and understanding of Information Security, business and risk management, would not have occurred if not for the consistent feedback from everyone, women and men alike.  In turn, I have shared my knowledge without discrimination. It is how we as a community work and how we collectively get better. Better at what we do and better at who we are.

Change is happening in education as well.  Women are now outpacing men in college degrees issued in Science, Technology, Engineering and Math (STEM), although not in Computer Science. Not just yet.  STEM degrees are the core of the Information Security industry.  In response, many professional security organizations like (ISC)2 have started offering scholarships to encourage women to enter the Information Security industry. This helps in bridging the gap, and I can only hope to see more influx of such initiatives. 

It pays to be in Information Security.  The average salary for junior level positions sits at $60 - $90k USD year, with senior positions topping out at $250k.  According to research by Dice.com – a technology job driven careers sites – the pay gap between women and men in IT has virtually disappeared.  This means that not only are there careers waiting for anyone who wants them – with year over year demand increasing by 27% for the last 10 years – but while staying intellectually challenged, one won't go hungry either.

Recently, we have seen attacks on the information security community. Pointing out fundamental and structural flaws is one thing. Gutting a community that, over more than a decade, has made great strides forward is of a completely different and questionable level to say the least. With the growing importance of information security in the world comes great responsibility. A responsibility I am sure our community and industry will take up and honor. 

As we keep focusing on a healthy, diverse and cooperative future while learning from our past, I am confident that a positive and inclusive industry is the common goal that keeps us together.

References:

Information Security Job Growth Part 1
Villanova University

When Geeks Attack
Marie Claire

Spotlight on Women in Tech
Dice.com

Information Security Scholarships for Women
(ISC)2